Manufacturers face challenges in meeting FDA cybersecurity guidance

In June 2025, the Food & Drug Administration (FDA) issued new guidance aimed at enhancing cybersecurity standards for medical devices in the United States. This guidance mandates that device manufacturers include a software bill of materials (SBOM) as part of their premarket submissions. Furthermore, the manufacturers are required to outline a plan for patching and updating their devices when vulnerabilities are identified and to monitor the security of these devices continuously once they are in use. The 2025 guidance builds upon prior recommendations, clarifying definitions and formalizing requirements. It emphasizes the importance of a risk-based approach throughout the product's life cycle, from the initial development stages to post-market monitoring. Notably, manufacturers are expected to integrate cybersecurity considerations into their overall risk management processes, as outlined in ISO 14971, ensuring that cybersecurity risks are evaluated alongside traditional safety risks. While some manufacturers are adept at navigating these new regulations, many lack the necessary expertise in cybersecurity. The FDA's comprehensive mandate insists on embedding cybersecurity measures across all stages of the product lifecycle, posing challenges especially for smaller or newer companies entering the market. A 2025 report highlighted that 22% of healthcare organizations reported experiencing cyberattacks against medical devices, with a significant portion impacting patient care. In response to these emerging threats and the complexities of the new requirements, it is clear that manufacturers should not attempt to tackle compliance independently. Engaging with cybersecurity experts and fostering a collaborative approach can enhance the overall safety and effectiveness of medical devices, particularly in an evolving threat landscape.